We are, as a species, very bad at learning from our mistakes - and/or very lazy.

We're not just bad at learning long-term lessons, but also at picking up on simple things we're doing badly and starting to do them better.

That would seem to be the main conclusion to be drawn from looking at the passwords we use to authenticate ourselves online.

Despite great efforts to persuade us otherwise, we still choose bad ones, simple ones, obvious ones, and we reuse them in other places. Sites we use get hacked, our passwords are stolen and used to abuse our accounts, and, if we've been reusing, not just those at the hacked site.

They are later posted online so we can read entertaining stories of the "Aren't these passwords just comically bad" variety.

Using this sort of data as a measure of our password selection practices may be a little unfair though. It has been argued that the Adobe site is, for many users, considered a "low risk" site which doesn't need to be protected by a strong password.

If you're forced to create an account on a site which you're just visiting to download some free software, say, or to read some news, or to comment gushingly on someone's blog post, you're probably not going to worry about that account being taken over by a hacker.

At least, not as much as you would about your online banking login, or your personal email. Right?

Bad passwords OK?

So, why not use a low-grade password? I admit it's something I've done myself, many times.

A one-off account at a site you have no plans to revisit, using a throwaway email address, why bother with a strong password?

Maybe a lot of the obvious choices on the Adobe database, which has so heavily influenced our idea of the world's password habits, are down to similar down-grading of sites we don't consider important.

Maybe people generally are more careful and sensible, just not when visiting Adobe.

OK, so it's a little worrying that things like "photoshop" and "macromedia" also feature fairly high up on the Adobe list, which seems to hint that at least some of the people on there are actual proper customers of Adobe, giving them money for their software and so presumably having provided things like billing addresses and banking info.

There's also been evidence of people reusing their favourite weak passwords elsewhere, on sites they're likely to care more about, and being forced to try harder.

But many may well just be casual visitors choosing casual passwords.

Bad passwords "better than nothing"?

Is that a bad thing? Not according to the UK's "cyber-security chief", Get Safe Online head Tony Neate, quoted in The Guardian arguing that a bad password is better than none.

This may make sense in some settings - mobiles, for example, can be left open for anyone to pick up and play with, or can be secured with a screenlock.

Even if your screenlock password is very basic, it should at least protect you from casual fiddling and from juicejacking, assuming the lock-screen settings are sensible.

Online though, there's rarely a "no password" option. And so, as biometrics have yet to emerge from the shadows and save us all from passwords forever, we still have to pick one, even for those piddling little sites we never plan to visit again.

Categorising the internet

Of course, there's a problem with using good passwords for important accounts and sloppy ones for trivial sites. The internet isn't divided into "important" and "trivial".

There's no icon in our browser address bar telling us we're on a trivial site and can be as careless as we like.

It's more of a continuum, ranging from highly sensitive to hardly sensitive at all, and which site fits where on that line will vary from person to person, maybe even from moment to moment as our usage patterns change.

So before we decide that an account is not worth securing, we have to think carefully about the implications. Can we be absolutely sure that there's nothing inside this account that could be valuable? No information that could be gleaned about us that could be made use of? No way it can be linked up to other accounts and used to access them?

It's unlikely that many of us do go through this process every time, and even those who do must make some mistakes or take some shortcuts somewhere.

So the best option, and also the easiest, is not to bother trying to categorize our accounts.

Tools are your friend

Use a password manager to generate a decent password for any account you set up. If you're not using one already, spend an hour finding the right one for you and getting used to how it works.

If you never use that account again, never mind. If you do come back, yay, you can get straight in without having to rack your brain.

If the plugin works nicely, you may not even have to do any typing.

And if you don't trust it with your most sensitive and precious accounts, you can keep them out of it, and stick with your own (carefully chosen, never reused) passwords for those.

For everything else, wherever it sits on your personal importance ranking system, a decent manager will do a better job than you of creating and remembering reasonably secure passwords, saving you the effort of deciding how important things are.

And if you really are setting up a single-use, throwaway account, on a strange machine you're wary of, and you're sure you don't mind if it gets hacked, then go ahead and use 123456, or iloveyou if you're that way inclined.

Just remember, it's likely to contribute to a "world's worst" list one day.

11 Responses to Are our passwords really that bad? And does it really matter?

I think a big problem for many (ie me) is sites that insist on resetting forgotten passwords. Do they really believe that, if you can't remember the old one, you're going to remember the new one? If you have to keep resetting complex passwords, you're a lot less likely to remember them, I think. The other option is to write them down on, say a post-it note, and keep them near the computer. Stuck to the front for easy access sounds good. The other one is to put them in an email and keep them in an account that you always remember the password for. A title like "passwords" is also useful if you need to search for them.

But an email with the title "passwords" is handy for the crooks (or the NSA, if that concerns you) to search for, too.

If you want to condense your digital security situation to one password, you probably want to look at one of the various "password vault" programs out there that generate long, wacky passwords for each account you use, and store them encrypted with a master password. Which, of course, you need to guard strongly - but there's only one to do that for.

You don't even need to use a "bad" password on trivial sites. Just use a common password you can remember and use it for all the sites whose security just doesn't matter to you. Just don't ever accidentally use it someplace that is important.

Biggest problem with password managers is being able to access that password when you're not in front of the desktop at home that holds the password manager tool. So then people look at third-party storage or even throwing them into things like EverNote that can be accessed by multiple devices, and we introduce new trust issues.

For me, I always question if I will ever *need* to access something important when I'm not at home. Usually that answer is no.

And yet, none of these inconveniences make me think we should get rid of passwords and replace them with SSO, or biometrics, or some other mechanism.

With a program like Keepass you can copy the encrypted database file to an internet storage provider like Google Drive. Provided your pass phrase is long enough (preferably more than 20 characters) you don't have to worry about it being cracked.

You can also copy the portable version of the program to the storage so that you can use it anywhere without installing it.

I like the theory of a password manager, but what happens when a computer fails? My household has had 3 failures in the last year. Is there something I can back up to 2 USB sticks (in case one of them fails) that would allow me to recover my password manager and its essential data? Then aren't the USB sticks a vulnerability?

I run a password manager program on a USB stick. It does not need to be 'installed' on Windows and there are programs on all the platforms I use (windows, Linux, iOS, android) that can read and write the password safe. There really is no excuse NOT to use a password manager.

Curious to know what they are!
I regularly switch between Linux/Windows/Android, and I'm interested in a password manager, but I *really* don't trust the online ones.
Call me paranoid, but all my passwords in one place, somewhere on the internet,.. Nope!

USB ones at least it's my fault if it goes missing, and I know I need to do something about it.

Respect for quality passwords is aggravated by website designers with an overinflated sense of their importance. One site I use is a Drupal CMS (simliar to WordPress). Although no finances are involved and 99% of the information is on the public side (meeting minutes, volunteer opportunities, class announcements), the administrator insists on 8-character passwords including both cases, and at least one letter, one number, and one special character. And when you do forget that monstrosity and request a reset, you find that the admin disallows use of any of the last 20 (!) passwords, so you can't reuse the one you forgot.

This is just silly. Distinct and difficult passwords are needed for banks and email, maybe purchasing at sites which retain your credit card number, but not for innocuous sites. No wonder the users revolt.

Disagree. There aren't really "innocuous sites" for any login that allows access to content that is branded as yours. (Most Tweets are public. Are you saying that it's harmless for me to guess your Twitter password in order to tweet "as if I were you? Maybe a link to malware that your friends are inclined to click on because it didn't seem to come from a scammer?)

What about someone posting bogus class announcements? Libellous minutes? Soliciting volunteers through a fraudulent website? Aren't you worried about the veracity of your public content?

PS. If you do a password reset because you forgot your password...how could you re-use that old password anyway? You forgot it, remember :-)

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.